From bb2e20d353923f02e090552a4dabc1cbd80770e6 Mon Sep 17 00:00:00 2001
From: Arne Welzel <arne.welzel@corelight.com>
Date: Mon, 3 Feb 2025 14:01:59 +0100
Subject: [PATCH 1/3] testing/btest: Use OPENSSL_ENABLE_SHA1_SIGNATURES

This reverts the call to update-crypto-policies in the Fedora 41 image
and instead sets OPENSSL_ENABLE_SHA1_SIGNATURES in the individual tests.
This allows RHEL 10 or Fedora 41 users to run the tests in question
without needing to fiddle with system settings.

Fixes #4035
---
 ci/fedora-41/Dockerfile                                     | 6 +-----
 testing/btest/bifs/x509_verify.zeek                         | 4 +++-
 testing/btest/scripts/base/protocols/ssl/ocsp-stapling.test | 4 +++-
 .../btest/scripts/policy/protocols/ssl/validate-certs.zeek  | 4 +++-
 .../btest/scripts/policy/protocols/ssl/validate-ocsp.zeek   | 6 ++++--
 5 files changed, 14 insertions(+), 10 deletions(-)

diff --git a/ci/fedora-41/Dockerfile b/ci/fedora-41/Dockerfile
index e98cd500bd..e3d737a562 100644
--- a/ci/fedora-41/Dockerfile
+++ b/ci/fedora-41/Dockerfile
@@ -2,7 +2,7 @@ FROM fedora:41
 
 # A version field to invalidate Cirrus's build cache when needed, as suggested in
 # https://github.com/cirruslabs/cirrus-ci-docs/issues/544#issuecomment-566066822
-ENV DOCKERFILE_VERSION 20241115
+ENV DOCKERFILE_VERSION 20250203
 
 RUN dnf -y install \
     bison \
@@ -33,7 +33,3 @@ RUN dnf -y install \
   && dnf clean all && rm -rf /var/cache/dnf
 
 RUN pip3 install websockets junit2html
-
-# Required to allow validation of certificates with SHA1 signatures
-# See: https://fedoraproject.org/wiki/Changes/OpenSSLDistrustSHA1SigVer
-RUN update-crypto-policies --set FEDORA40
diff --git a/testing/btest/bifs/x509_verify.zeek b/testing/btest/bifs/x509_verify.zeek
index cb59d3f4aa..59291bcae2 100644
--- a/testing/btest/bifs/x509_verify.zeek
+++ b/testing/btest/bifs/x509_verify.zeek
@@ -1,4 +1,6 @@
-# @TEST-EXEC: zeek -b -r $TRACES/tls/tls-expired-cert.trace %INPUT
+# Fedora/RedHat have SHA1 disabled for certificate verification, re-enable it for testing by setting OPENSSL_ENABLE_SHA1_SIGNATURES=1
+#
+# @TEST-EXEC: OPENSSL_ENABLE_SHA1_SIGNATURES=1 zeek -b -r $TRACES/tls/tls-expired-cert.trace %INPUT
 
 # This is a hack: the results of OpenSSL 1.1's vs 1.0's
 # X509_verify_cert() -> X509_STORE_CTX_get1_chain() calls
diff --git a/testing/btest/scripts/base/protocols/ssl/ocsp-stapling.test b/testing/btest/scripts/base/protocols/ssl/ocsp-stapling.test
index 4e5a20a2ce..6b5992f640 100644
--- a/testing/btest/scripts/base/protocols/ssl/ocsp-stapling.test
+++ b/testing/btest/scripts/base/protocols/ssl/ocsp-stapling.test
@@ -1,4 +1,6 @@
-# @TEST-EXEC: zeek -b -C -r $TRACES/tls/ocsp-stapling.trace %INPUT
+# Fedora/RedHat have SHA1 disabled for certificate verification, re-enable it for testing by setting OPENSSL_ENABLE_SHA1_SIGNATURES=1
+#
+# @TEST-EXEC: OPENSSL_ENABLE_SHA1_SIGNATURES=1 zeek -b -C -r $TRACES/tls/ocsp-stapling.trace %INPUT
 # @TEST-EXEC: btest-diff .stdout
 
 @load base/protocols/ssl
diff --git a/testing/btest/scripts/policy/protocols/ssl/validate-certs.zeek b/testing/btest/scripts/policy/protocols/ssl/validate-certs.zeek
index f878ead3db..763c2fa24f 100644
--- a/testing/btest/scripts/policy/protocols/ssl/validate-certs.zeek
+++ b/testing/btest/scripts/policy/protocols/ssl/validate-certs.zeek
@@ -1,4 +1,6 @@
-# @TEST-EXEC: zeek -b -r $TRACES/tls/tls-expired-cert.trace $SCRIPTS/external-ca-list.zeek %INPUT
+# Fedora/RedHat have SHA1 disabled for certificate verification, re-enable it for testing by setting OPENSSL_ENABLE_SHA1_SIGNATURES=1
+#
+# @TEST-EXEC: OPENSSL_ENABLE_SHA1_SIGNATURES=1 zeek -b -r $TRACES/tls/tls-expired-cert.trace $SCRIPTS/external-ca-list.zeek %INPUT
 # @TEST-EXEC: cat ssl.log > ssl-all.log
 # @TEST-EXEC: zeek -b -C -r $TRACES/tls/missing-intermediate.pcap $SCRIPTS/external-ca-list.zeek %INPUT
 # @TEST-EXEC: cat ssl.log >> ssl-all.log
diff --git a/testing/btest/scripts/policy/protocols/ssl/validate-ocsp.zeek b/testing/btest/scripts/policy/protocols/ssl/validate-ocsp.zeek
index c3a32da70d..835261172d 100644
--- a/testing/btest/scripts/policy/protocols/ssl/validate-ocsp.zeek
+++ b/testing/btest/scripts/policy/protocols/ssl/validate-ocsp.zeek
@@ -1,6 +1,8 @@
-# @TEST-EXEC: zeek -b $SCRIPTS/external-ca-list.zeek -C -r $TRACES/tls/ocsp-stapling.trace %INPUT
+# Fedora/RedHat have SHA1 disabled for certificate verification, re-enable it for testing by setting OPENSSL_ENABLE_SHA1_SIGNATURES=1
+#
+# @TEST-EXEC: OPENSSL_ENABLE_SHA1_SIGNATURES=1 zeek -b $SCRIPTS/external-ca-list.zeek -C -r $TRACES/tls/ocsp-stapling.trace %INPUT
 # @TEST-EXEC: TEST_DIFF_CANONIFIER="$SCRIPTS/diff-remove-x509-names | $SCRIPTS/diff-remove-timestamps" btest-diff ssl.log
-# @TEST-EXEC: zeek -b $SCRIPTS/external-ca-list.zeek -C -r $TRACES/tls/ocsp-stapling-twimg.trace %INPUT
+# @TEST-EXEC: OPENSSL_ENABLE_SHA1_SIGNATURES=1 zeek -b $SCRIPTS/external-ca-list.zeek -C -r $TRACES/tls/ocsp-stapling-twimg.trace %INPUT
 # @TEST-EXEC: mv ssl.log ssl-twimg.log
 # @TEST-EXEC: TEST_DIFF_CANONIFIER="$SCRIPTS/diff-remove-x509-names | $SCRIPTS/diff-remove-timestamps" btest-diff ssl-twimg.log
 # @TEST-EXEC: zeek -b $SCRIPTS/external-ca-list.zeek -C -r $TRACES/tls/ocsp-stapling-digicert.trace %INPUT

From ad370c0c37af43e9f381e3a457bd51926bf24df9 Mon Sep 17 00:00:00 2001
From: Arne Welzel <arne.welzel@corelight.com>
Date: Mon, 3 Feb 2025 14:12:18 +0100
Subject: [PATCH 2/3] btest/x509_verify: Drop OpenSSL 1.0 hack

We do not have a distro in CI anymore that ships OpenSSL 1.0,
drop the hack.
---
 .../bifs.x509_verify/{stdout-openssl-1.0 => out}    |  0
 .../Baseline/bifs.x509_verify/stdout-openssl-1.1    |  8 --------
 testing/btest/bifs/x509_verify.zeek                 | 13 ++-----------
 3 files changed, 2 insertions(+), 19 deletions(-)
 rename testing/btest/Baseline/bifs.x509_verify/{stdout-openssl-1.0 => out} (100%)
 delete mode 100644 testing/btest/Baseline/bifs.x509_verify/stdout-openssl-1.1

diff --git a/testing/btest/Baseline/bifs.x509_verify/stdout-openssl-1.0 b/testing/btest/Baseline/bifs.x509_verify/out
similarity index 100%
rename from testing/btest/Baseline/bifs.x509_verify/stdout-openssl-1.0
rename to testing/btest/Baseline/bifs.x509_verify/out
diff --git a/testing/btest/Baseline/bifs.x509_verify/stdout-openssl-1.1 b/testing/btest/Baseline/bifs.x509_verify/stdout-openssl-1.1
deleted file mode 100644
index 35d46a3393..0000000000
--- a/testing/btest/Baseline/bifs.x509_verify/stdout-openssl-1.1
+++ /dev/null
@@ -1,8 +0,0 @@
-### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
-Validation result: certificate has expired
-Validation result: ok
-Resulting chain:
-Fingerprint: 70829f77ff4b6e908324a3f4e1940fce6c489098, Subject: CN=www.tobu-estate.com,OU=Terms of use at www.verisign.com/rpa (c)05,O=TOBU RAILWAY Co.\,Ltd.,L=Sumida-ku,ST=Tokyo,C=JP
-Fingerprint: 5deb8f339e264c19f6686f5f8f32b54a4c46b476, Subject: CN=VeriSign Class 3 Secure Server CA - G3,OU=Terms of use at https://www.verisign.com/rpa (c)10,OU=VeriSign Trust Network,O=VeriSign\, Inc.,C=US
-Fingerprint: 32f30882622b87cf8856c63db873df0853b4dd27, Subject: CN=VeriSign Class 3 Public Primary Certification Authority - G5,OU=(c) 2006 VeriSign\, Inc. - For authorized use only,OU=VeriSign Trust Network,O=VeriSign\, Inc.,C=US
-Fingerprint: 742c3192e607e424eb4549542be1bbc53e6174e2, Subject: OU=Class 3 Public Primary Certification Authority,O=VeriSign\, Inc.,C=US
diff --git a/testing/btest/bifs/x509_verify.zeek b/testing/btest/bifs/x509_verify.zeek
index 59291bcae2..aabb3496a6 100644
--- a/testing/btest/bifs/x509_verify.zeek
+++ b/testing/btest/bifs/x509_verify.zeek
@@ -1,16 +1,7 @@
 # Fedora/RedHat have SHA1 disabled for certificate verification, re-enable it for testing by setting OPENSSL_ENABLE_SHA1_SIGNATURES=1
 #
-# @TEST-EXEC: OPENSSL_ENABLE_SHA1_SIGNATURES=1 zeek -b -r $TRACES/tls/tls-expired-cert.trace %INPUT
-
-# This is a hack: the results of OpenSSL 1.1's vs 1.0's
-# X509_verify_cert() -> X509_STORE_CTX_get1_chain() calls
-# differ.  Word seems to be that OpenSSL 1.1's cert-chain-building
-# code is significantly different/rewritten so may be the reason...
-
-# @TEST-EXEC: cp .stdout stdout-openssl-1.0
-# @TEST-EXEC: cp .stdout stdout-openssl-1.1
-
-# @TEST-EXEC: grep -q "ZEEK_HAVE_OPENSSL_1_1" $BUILD/CMakeCache.txt && btest-diff stdout-openssl-1.1 || btest-diff stdout-openssl-1.0
+# @TEST-EXEC: OPENSSL_ENABLE_SHA1_SIGNATURES=1 zeek -b -r $TRACES/tls/tls-expired-cert.trace %INPUT >out
+# @TEST-EXEC: btest-diff out
 
 @load base/protocols/ssl
 

From 8b645243cb17ef6719aa7894841f657a4ada24d3 Mon Sep 17 00:00:00 2001
From: Arne Welzel <arne.welzel@corelight.com>
Date: Mon, 3 Feb 2025 16:01:55 +0100
Subject: [PATCH 3/3] external/subdir-btest.cfg: Set
 OPENSSL_ENABLE_SHA1_SIGNATURES=1

We already do something similar for OPENSSL_ENABLE_MD5_VERIFY=1
---
 testing/external/subdir-btest.cfg | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/testing/external/subdir-btest.cfg b/testing/external/subdir-btest.cfg
index 20c8500948..9c7a1e2f5e 100644
--- a/testing/external/subdir-btest.cfg
+++ b/testing/external/subdir-btest.cfg
@@ -25,4 +25,6 @@ BUILD=%(testbase)s/../../../%(build_dir)s
 ZEEK_DNS_FAKE=1
 # Fedora/CentOS/RedHat have MD5 disabled for certificate verification and need setting an environment variable to permit it:
 OPENSSL_ENABLE_MD5_VERIFY=1
+# Fedora/RedHat have SHA1 disabled for certificate verification and need setting an environment variable to permit it:
+OPENSSL_ENABLE_SHA1_SIGNATURES=1
 UBSAN_OPTIONS=print_stacktrace=1